The Enforcement Bureau of the Federal Communication Commission (FCC) reached a $7.4 million settlement with Verizon on September 3, 2014, after an investigation into the company’s use of customers’ personal information for marketing purposes. This $7.4 million fine is the largest such payment in FCC’s history for settling an investigation related solely to the privacy of phone customers’ personal information.
Section 222 of the Communications Act, entitled “Privacy of Customer Information” imposes a duty on every telecommunications carrier to protect the “proprietary information” of its customers. These obligations are further clarified in the Customer Proprietary Network Information Rules (CPNI Rules) of the FCC.
Among other things, phone companies are prohibited from accessing or using certain personal information except in imitated circumstances. To be able to use customers’ information for certain marketing purposes, phone companies must obtain the approval of their customers through an opt-in or an opt-out. When that process is not working, the phone company must report the problem to the FCC within five business days.
The FCC investigation found that, beginning in 2006, and continuing for seven thereafter, Verizon failed to notify approximately two million new customers, on their welcome letter or their first invoices, of the privacy rights, including how to opt-out from having their personal information used in marketing campaigns. Further, Verizon failed to discover this deficiency until September 2012, and failed to notify the FCC until January 2013, over four months later.
Verizon represented that it took remediation efforts following discovery of the problem, including sending opt-out notices, banning all marketing, and implementing a new program to place CPNI opt-out notice on every invoice, each month, for all the potentially affected customers (consumers and small and medium size business customers).
In addition to the $7.4 million fine, to be paid to the US Treasury, Verizon will be required improve its privacy practices, including, among others, to:
- Designate a senior corporate manager to serve as compliance manager responsible for implementing and administering Verizon’s compliance plan;
- Notify all Verizon directors, officers, managers and employees of the terms of the consent order;
- Establish operating procedures to ensure compliance with the consent order;
- Develop and distribute a compliance manual regarding the handling of customer information;
- Establish a compliance training program;
- Notify customers of their opt-out rights on every bill;
- Monitor and test its billing system and opt-out notice process on a monthly basis, to ensure that customers are receiving appropriate notices;
- Report any detected problem to the FCC within 5 business days;
- Report any non-compliance to the FCC within 30 calendar days.
Several of the compliance obligations listed above terminate three years after the date of the Consent Decree.
The Federal Trade Commission is only one of the federal agencies charged with the protection of personal information. Several agencies have sectoral responsibilities, as well. As discussed above, Section 222 of the Federal Communications Act and the related CPNI Rules, contain important provisions regarding the privacy of the personal information of phone users. These provisions are enforced by the Federal Communications Commission.